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Abstract 

Assume that two distant parties, Alice and Bob, as well as an adversary. Eve, have access 
to (quantum) systems prepared jointly according to a tripartite state pabe- In addition, 
Alice and Bob can use local operations and authenticated public classical communication. 
Their goal is to establish a key which is unknown to Eve. We initiate the study of this 
scenario as a unification of two standard scenarios: (i) key distillation (agreement) from 
classical correlations and (ii) key distillation from pure tripartite quantum states. 

Firstly, we obtain generalisations of fundamental results related to scenarios (i) and (ii), 
including upper bounds on the key rate, i.e., the number of key bits that can be extracted 
per copy of pabe- Moreover, based on an embedding of classical distributions into quantum 
states, we are able to find new connections between protocols and quantities in the standard 
scenarios (i) and (ii). 

Secondly, we study specific properties of key distillation protocols. In particular, we show 
that every protocol that makes use of pre-shared key can be transformed into an equally 
efficient protocol which needs no pre-shared key. This result is of practical significance as 
it applies to quantum key distribution (QKD) protocols, but it also implies that the key 
rate cannot be locked with information on Eve's side. Finally, we exhibit an arbitrarily large 
separation between the key rate in the standard setting where Eve is equipped with quantum 
memory and the key rate in a setting where Eve is only given classical memory. This shows 
that assumptions on the nature of Eve's memory are important in order to determine the 
correct security threshold in QKD. 

1 Introduction 

Many cryptographic tasks such as message encryption or authentication rely on secret keys^ i.e., 
random strings only known to a restricted set of parties. In information-theoretic cryptography, 
where no assumptions on the adversary's resource^ are made, distributing keys between distant 
parties is impossible if only public classical communication channels are available [TJ [5] • However, 
this situation changes dramatically if the parties have access to additional devices such as noisy 
channels (where also a wiretapper is subject to noise), a noisy source of randomness, a quantum 
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channel, or a pre-shared quantum state. As shown in [51 [31 0] [51 [5] , these devices allow the secure 
distribution of keysH 

This work is concerned with information-theoretic key distillation from pre-distributed noisy 
data. More precisely, we consider a situation where two distant parties, Alice and Bob, have access 
to (not necessarily perfectly) correlated pieces of (classical or quantum) information, which might 
be partially known to an adversary. Eve. The goal of Alice and Bob is to distill virtually perfect 
key bits from these data, using only an authentic (but otherwise insecure) classical communication 
channel. 

Generally speaking, key distillation is possible whenever Alice and Bob's data are sufficiently 
correlated and, at the same time. Eve's uncertainty on these data is sufficiently large. It is one 
of the goals of this paper to exhibit the properties pre-shared data must have in order to allow 
key distillation. 

In practical applications, the pre-distributed data might be obtained from realistic physical 
devices such as noisy (classical or quantum) channels or other sources of randomness. Eve's 
uncertainty on Alice and Bob's data might then be imposed by inevitable noise in the devices 
due to thermodynamic or quantum effects. 

Quantum key distribution ( QKD ) can be seen as a special case of key distillation where the 
pre-shared data is generated using a quantum channel. The laws of quantum physics imply that 
the random values held by one party, say Alice, cannot at the same time be correlated with Bob 
and Eve. Hence, whenever Alice and Bob's values are strongly correlated (which can be checked 
easily) then Eve's uncertainty about them must inevitably (by the laws of quantum mechanics) be 
large, hence, Alice and Bob can distil key. Because of this close relation between key distillation 
and QKD, many of the results we give here will have direct implications to QKD. 

Furthermore, the theory of key distillation has nice parallels with the theory of entanglement 
distillation, where the goal is to distil maximally entangled states (also called singlets) from 
(a sequence of) bipartite quantum states. In fact, the two scenarios have many properties in 
common. For example, there is a gap between the key rate (i.e., the amount of key that can 
be distilled from some given noisy data) and the key cost (the amount of key that is needed to 
simulate the noisy data, using only public classical communication) [7] . This gap can be seen as 
the classical analogue of a gap between distillahle entanglement (the amount of singlets that can 
be distilled from a given bipartite quantum state) and entanglement cost (the amount of singlets 
needed to generate the state). 

1.1 Related work 

The first and basic instance of an information-theoretic key agreement scenario is Wyner's wiretap 
channel [8]. Here, Alice can send information via a noisy classical channel to Bob. Eve, the 
eavesdropper, has access to a degraded version of Bob's information. Wyner has calculated the 
rate at which key generation is possible if only Alice is allowed to send public classical messages to 
Bob. Wyner's work has later been generalised by Csiszar and Korner, relaxing the restrictions on 
the type of information given to Eve Based on these ideas, Maurer and Ahlswede and Csiszar 
have proposed an extended scenario where key is distilled from arbitrary correlated classical 
information (specified by a tripartite probability distribution) [2j[4]. In particular, Maurer has 
shown that two-way communication can lead to a strictly positive key rate even though the key 
rate in the one-way communication scenario might be zero ^ . 

In parallel to this development quantum cryptography emerged: in 1984 Bennett and Brassard 
devised a QKD scheme in which quantum channels could be employed in order to generate a secure 
key without the need to put a restriction on the eavesdropper [5j. In 1991, Ekert discovered that 
quantum cryptographic schemes could be based on entanglement, that is, on quantum correlations 

^In certain scenarios, including the one studied in this paper, an authentic classical channel is needed in addition. 
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that are strictly stronger than classical correlations [6]. Clearly, this is key distillation from 
quantum information. 

The first to spot a relation between the classical and the quantum development were Gisin 
and Wolf; in analogy to bound entanglement in quantum information theory, they conjectured the 
existence of bound information, namely classical correlation that can only be created from key 
but from which no key can be distilled [9]. Their conjecture remains unsolved, but has stimulated 
the community in search for an answer. 

To derive lower bounds on the key rate, we will make repeated use of results by Devetak and 
Winter, who derived a bound on the key rate if the tripartite quantum information consists of 
many identical and mutually independent pieces, and by Renner and Konig, who derived privacy 
amplification results which also hold if this independence condition is not satisfied (TUl [IT] . 

1.2 Contributions 

We initiate the study of a unified key distillation scenario, which includes key distillation from 
pre-shared classical and quantum data (Section ^ . We then derive a variety of quantitative 
statements related to this scenario. These unify and extend results from both the quantum and 
classical world. 

There are numerous upper bounds available in the specific scenarios and it is our aim to provide 
the bigger picture that will put order into this zoo by employing the concept of a secrecy monotone, 
i.e., a function that decreases under local operations and public communication (Section [3|) , as 
introduced in [T^]. The upper bounds can then roughly be subdivided into two categories: (i) the 
ones based on classical key distillation [13] and (ii) the ones based on quantum communication 
or entanglement measures |14| . 

The unified scenario that we develop does not stop at an evaluation of the key rate but 
lets us investigate intricate connections between the two extremes. We challenge the viewpoint 
of Gisin and Wolf who highlight the relation between key distillation from classical correlation 
and entanglement distillation from this very correlation embedded into quantum states [S]: we 
prove a theorem that relates key distillation from certain classical correlation and key (and not 
entanglement) distillation from their embedded versions (Section[4|). This ties in with recent work 
which established that key distillation can be possible even from quantum states from which no 
entanglement can be distilled [TS] . 

A fruitful concept that permeates this work is the concept of locking of classical information 
in quantum states: let Alice choose an n-bit string with uniform probability and 

let her either send the state . . . |a;„) or the state . . . \xn) to Bob, where H is the 

Hadamard transformation. Not knowing if the string is sent in the computational basis or in 
the Hadamard basis, it turns out that the optimal measurement that Bob can do in order to 
maximise the mutual information between the measurement outcome y and Alice's string x is 
with respect to a randomly chosen basis, in which case he will obtain I{X; Y) = ^. If, however, 
he has access to the single bit which determines the basis, he will have I{X; Y) — n. A single 
bit can therefore unlock an arbitrary amount of information. This effect has been termed locking 
of classical information in quantum states or simply locking and was first described in (16j . In 
this paper, we will discuss various types of locking effects and highlight their significance for the 
design and security of QKD protocols (Section [5]). 

Finally, we demonstrate that the amount of key that can be distilled from given pre-shared 
data strongly depends on whether Eve is assumed to store her information in a classical or in a 
quantum memory. This, again, has direct consequences for the analysis of protocols in quantum 
cryptography (Section [6]). 

For a more detailed explanation of the contributions of this paper, we refer to the introductory 
paragraphs of Sections [3HS1 
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2 The unified key distillation scenario 



In classical information-theoretic cryptography one considers the problem of distilling key from 
correlated data specified by a tripartite probability distribution pijk {pijk > 0, J2ijkPijk = 
1). Alice and Bob who wish to distil the key have access to i and j, respectively, whereas 
the eavesdropper Eve knows the value k (see, e.g., [H]). Typically, it is assumed that many 
independently generated copies of the triples {i,j,k) are available0. The key rate or distillable 
key of a distribution pijk is the rate at which key bits can be obtained per realisation of this 
distribution, if Alice and Bob are restricted to local operations and public but authentic classical 
communication. 

Before we continue to introduce the quantum version of the key distillation scenario described 
above, let us quickly note that it will be convenient to regard probability distributions as classical 
states, that is, given probabilities pi, we consider p = Yli^i Pi\i) {i\ , where \i) is an orthonormal 
basis of a d-dimensional Hilbert space; we will assume that d < oo. In the sequel we will encounter 
not only classical or quantum states, but also states that are distributed over several systems 
which might be partly classical and partly quantum-mechanical. To make this explicit, we say 
that a bipartite state pab is cq (classical-quantum) if it is of the form pab — SiPj|*)(*U *^ Ps 
for quantum states pg and a probability distribution pi. This definition easily extends to three 
or more parties, for instance: 

• a ccq ( classical-classical-quantum) state pabe is of the form ^ pij \i){i\A® |j)0|-B ® P'e^ 
where pij is a probability distribution and are arbitrary quantum states. 

• the probability distribution pij^ corresponds to a ccc (classical-classical-classical) state 
PABE = J2i,j,kPijk\ijk){ijk\ABE, whcrc we usc \ijk)ABE as a short form for \i)A®\j)B'Si\k)E 
(as above, the states \i)A for different values of i, and likewise |j) b and \k)k, are normalised 
and mutually orthogonal). 

We will be concerned with key distillation from arbitrary tripartite quantum states pabe 
shared by Alice, Bob, and an adversary Eve, assisted by local quantum operations and public 
classical communication (LOPC) [lUl 1191 [T5] . A local quantum operation on Bob's side is of the 
form 

PABE [IaE ® ^b){PABe) ■ (1) 

Public classical communication from Alice to Bob can be modelled by copying a local classical 
register, i.e., any state of the form paa'be = Tlii P\be® I*)(*U' is transformed into p'aa'bb'ee' — 
Si Pabe ® |iM)(*"U'S'_E'. Similarly, one can define these operations with the roles of Alice and 
Bob interchanged. 

The goal of a key distillation protocol is to transform copies of tripartite states pab e into a 
state which is close to 

tabe = ^ XI I") ^ 

i=l 

for some arbitrary te- t^be (also denoted for short) corresponds to a perfect key of length £, 
i.e., uniform randomness on an alphabet of size 2^ shared by Alice and Bob and independent of 
Eve's system. We measure closeness of two states p and a in terms of the trace norm \\p — (t|| 
^Trjp — a\. The trace norm is the natural quantum analogue of the variational distance to which 
it reduces if p and a are classical. 

We will now give the formal definition of an LOPC protocol and of the key rate. 

^Using de Finetti's representation theorem, this assumption can be weakened to the assumption that the overall 
distribution of all triples is invariant under permutations (see 1181 for more details including a treatment of the 
quantum case). 
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Definition 2.1. An LOPC protocol V is a family {A„}„gN of completely positive trace preserving 
(CPTP) maps 

An-. (Ha (^nB(^ He f ^ni(g)n'^(g)ni (3) 

which are defined by the concatenation of a finite number of local operation and public communi- 
cation steps. 

Definition 2.2. We say that an LOPC protocol V distills key at rate TZ-p if there exists a sequence 
{in}neN such that 

lim sup — = R-p (4) 

n — *oo ri 

lini \\K.{pTBE)-rABE\\=0 (5) 

n — ^oo 

where t^^^ are the ccq states defined by The key rate or distillable key of a state pabe is 
defined as Kd(pabe) '■— swp-pTZ-p. 

The quantity Kd obviously depends on the partition of the state given as argument into the 
three parts controlled by Alice, Bob, and Eve, respectively. We thus indicate the assignment of 
subsystems by semicolons if needed. For instance, we write pad-b-e if Alice holds an additional 
system D. 

As shown in Appendix \^ the maximisation in the definition of Kd can be restricted to 
protocols whose communication complexity grows at most linearly in the number of copies of 
Pabe- Hence, if d = dimTi^ ®'Hb®'He<oo then the dimension of the output of the protocol 
is bounded by log dim T-l\ ® Tig (8) < cn log d, for some constant c. 

The above security criterion is (strictly) weaker than the one proposed in ,10ipl . hence Kd{pabe) 
evaluated on cqq states is lower bounded by an expression derived in [lOj : 

KDipABE)>I{A:B)p-I{A:E)p. (6) 

This expression can be seen as a quantum analogue of the well-known bound of Csiszar, Korner, 
and Maurer [3l|T7]. Here I{A : B)p denotes the mutual information defined by I{A : B)p := 
S{A)p + S{B)p — S{AB)p where S{A)p := S{p^) is the von Neumann entropy of system A (and 
similarly for B and E). For later reference we also define the conditional mutual information 
I{A : B\E)p := S{AE)p + S{BE)p - S{ABE)p ~ S{E)p. 

Note also that the criterion for the quality of the distilled key used in Dcfinition l2.2l implies that 
the key is both uniformly distributed and independent of the adversary's knowledge, just as in 
Previous works considered uniformity and security separately. Note that, even though weaker 
than certain alternative criteria such as the one of [TD] , the security measure of Definition 12.21 is 
universally composable [TT] . 

In [5^, the question was posed whether the security condition also holds if the accessible 
information is used instead of the criterion considered here. Recently, it has been shown that this 
is not the case [21] . More precisely, an example of a family of states was exhibited such that Eve 
has exponentially small knowledge in terms of accessible information but constant knowledge in 
terms of the Holevo information. This implies that in this context, security definitions based on 
the accessible information are problematic. In particular, a key might be insecure even though 
the accessible information of an adversary on the key is exponentially small (in the key size). 

^The security criterion of |10) implies that, conditioned on any value of the key. Eve's state is almost the same. 
In contrast, according to the above definition. Eve's state might be arbitrary for a small number of values of the 
key. 
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3 Upper bounds for the key rate 



In this section, we first derive sufficient conditions that a function has to satisfy in order to be an 
upper bound for the key rate ( Sect ion [3TT|l . We focus on functions that are secrecy monotones [12], 
i.e., they are monotonically decreasing under LOPC operations. Our approach therefore parallels 
the situation in classical and quantum information theory where resource transformations are also 
bounded by monotonic functions; examples include the proofs of converses to coding theorems 
and entanglement measures (see, e.g., [13]). As a corollary to our characterisation of secrecy 
monotones, we show how to turn entanglement monotones into secrecy monotones. 

In a second part (Section l3.2p . we provide a number of concrete secrecy monotones that satisfy 
the conditions mentioned above. They can be roughly divided into two parts: (i) functions derived 
from the intrinsic information and (ii) functions based on entanglement monotones. Finally, we 
will compare different secrecy monotones (Section 13. 3p and study a few particular cases in more 
detail (Section [Q]). 



3.1 Secrecy monotones 

Theorem 3.1. Let M[p) be a function mapping tripartite quantum states p = pabe into the 
positive numbers such that the following holds: 

1. Monotonicity: AI{K{p)) < M{p) for any LOPC operation A. 

2. Asymptotic continuity: for any states p^^,a^^ on'H\®'H^®'H%, the condition ||/C<" — a"|| — > 
implies is^|M(p") - Af(cr")| where r„ = Ami{n\ ® Ti"^ ® 1-t%) . 

3. Normalisation: M{t^) = I . 

Then the rcgularisation of the function M given by M°°[p) — limsupn^g^ ^^^^ — ^ is an upper 
bound on Kjj, i.e., M°° {pabe) > Kd{pabe) for all pabe with dimTi^ (g) Hb ^ "He < oo. If in 
addition M satisfies 

4. Suhadditivity on tensor products: Af(p®"') < nM{p), 
then M is an upper bound for Kd. 

Proof. Consider a key distillation protocol V that produces output states cr" such that ||cr" — 
r^"|| 0. We will show that AI°°{p) > R-p. Let us assume without loss of generality that 
Rp > 0. Indeed, by monotonicity we have M{p'^'^) > M{a^), which is equivalent to 

W")>^^f^^(--")-^(-")+lV (7) 
n n \ (n ) 



where we have used the normalisation condition. As remarked in Definition l2. 21 there is a constant 
c > such that log r„ < cn and by definition of R-p there exists a c' > and no such that for all 
n > no, log dn > c'n. Hence in > c'n > ^ logr„, therefore asymptotic continuity implies 

lim -^|M(a") ~ M{t^-)\ = . (8) 

n-+oo 

Taking the limsup on both sides of ([7]) gives M°° [p] > lim sup„ ^ = R-p . Thus we have shown 
that M°° is an upper bound for the rate of an arbitrary protocol, so that it is an also upper 
bound for Kjj. □ 
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If we restrict our attention to the special case of key distillation from bipartite states PAB^ 
we can immediately identify a well-known class of secrecy monotones, namely entanglement 
monotones. A convenient formulation is in this case not given by the distillation of states 

with help of LOPC operations, but rather by the distillation of states 7^ via local opera- 
tions and classical communication (LOCC), where 7^ = ® PA'B'U\ for some unitary 

U = \n){ii\AB ® V^A'B' and = ^(|00> + |11>) [HI [22]. Note that measuring the state 

7^ with respect to the computational bases on Alice and Bob's subsystems results in i key bits. 

Corollary 3.2. Let E{p) be a function mapping bipartite quantum states p = pab into the 
positive numbers such that the following holds: 

1. Monotonicity: E{A{p)) < E{p) for any LOCC operation A. 

2. Asymptotic continuity: for any states p",(t" on (g) Ti.g, the condition Hp" — (t"|| — > 
implies ^^\E{p") - E{a") \ where r„ = dim(H^ «) 7^^). 

3. Normalisation: E{Y) > d- ■ 

Then the regularisation of the function E given by E°°{p) = limsup„^o2 — ^ '^'^ upper 
bound on Ku, i-e., E°°{pab) > Koil'ip) HAabe) where \iP){4'\abe is a purification of pab- If in 
addition E satisfies 

4-. Subadditivity on tensor products: E(p'^") < nE{p), 

then E is an upper bound for Kjj . 

The analogue of this result in the realm of entanglement distillation has long been known: 
namely, every function E satisiying LOCC monotonicity, asymptotic continuity near maximally 
entangled states as well as normalisation on maximally entangled states {E = \ogd for 
\tp) = ^ J2i \ii)) can be shown to provide an upper bound on distillable entanglement Ed p3l[24]. 
that is, E°°{p) > Ed{p). Additionally, if E is subadditive, the same inequality holds with E°° 
replaced by E. Indeed this result can be seen as a corollary to Corollary 13. 21 bv restricting from 
distillation of states to distillation of \'ip){tp\®^ and noting that \'tp){tp\®^ is of the form with 
trivial A' B' . 

In the above corollary, we have identified asymptotic continuity on all states as well as nor- 
malisation on the states 7^ (rather than on singlets) as the crucial ingredients in order for an 
entanglement measure to bound distillable key from above. Note also that we require those addi- 
tional conditions as, for instance, the logarithmic negativity as defined in |25| satisfies the weaker 
conditions, therefore being an upper bound on distillable entanglement, but fails to be an upper 
bound on distillable key. 

We will now show how to turn this bound for bipartite states (or tripartite pure states) into 
one for arbitrary tripartite states. The recipe is simple: for a given state pabe, consider a 
purification \ip) {tpl aa'bb'e where the purifying system is denoted by A'B' and is split between 
Alice and Bob. Clearly, for any splitting, KD{\ip){tp\AA'BB'E) > Kz){pabe)- This inequality 
combined with the previous corollary applied to \4'){'>P\aa'bb'e proves the following statement. 

Corollary 3.3. If E satisfies the conditions of Corollarv \3.S\ then 

Kd{paBe) <E°°ipAA'BB') , (9) 

where paa'bb' = ^'Ce\->Jj){^\aa'BB'E and pabe = ^i'A'B'\iJj){Maa'BB'E- If E is subadditive, the 
same inequality holds with E replacing E°° . 
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3.2 Examples of secrecy monotones 

We will now introduce a number of secrecy monotones. We will only briefly comment on the 
relations between them. A more detailed analysis of how the different bounds on the key rate 
compare is given in Section [3.31 

3.2.1 Intrinsic information 

The intrinsic information of a probability distribution p^fe is given by 

I{A:BiE):=miI{A:B\E')p (10) 

where pabe is the ccc state corresponding to pijk- The infimum is taken over all channels from 
E to E' specified by a conditional probability distributions Pi\m- Pabe' is the state obtained by 
applying the channel to E. This quantity has been defined by Maurer and Wolf and provides an 
upper bound on the key rate from classical correlations [13j . We can extend it in the following 
way to arbitrary tripartite quantum states pabe- 

Definition 3.4. The intrinsic information of a tripartite quantum state pabe is given by 

I{A:Bi E)p := inf I{A : B\E')p (11) 

where the infimum is taken over all CPTP maps Ae^e from E to E' where pabe' = {Iab ® 
Ae^e){pabe)- 

This definition is compatible with the original definition since it reduces to (|10l) if the systems 
A, B and E are classical. 

As shown in Appendix [b1 the intrinsic information satisfies the requirements of Theorem 13.11 
and, hence, is an upper bound on the key rate. 

Theorem 3.5. The intrinsic information is an upper bound on distillable key, i.e., K]j{pabe) < 
I{A:BiE)p. 

Let us note that this bound differs from the bound proposed in (TH] where instead of all 
quantum channels, arbitrary measurements were considered. Our present bound can be tighter, 
as it can take into account Eve's quantum memory. 

In the case where pabe is pure, this bound can be improved by a factor of two because 
I{A : B I E)p — 2Esq{pAB)i where Egg is the squashed entanglement defined below and because 
squashed entanglement is an upper bound for the key rate. 

3.2.2 Squashed entanglement 

Definition 3.6. Squashed entanglement is defined as 

Es,{pab)^\ inf. I{A:B\E)p (12) 

Z PABE- 

Pab=T^ePabe 

Squashed entanglement can be shown to be a LOCC monotone, additive [27j . and asymptoti- 
cally continuous [28]. In [29l Proposition 4.19] it was shown to satisfy the normalisation condition 
and is therefore an upper bound on distillable key according to Corollarv l3.2l 

Theorem 3.7. Squashed entanglement is an upper bound on distillable key, i.e., Kd{pabe) < 
EsqipAA'BB') inhere pAA'BB' = TrE\ip){ip\AA'BB'E and PABE = TrA'S'|V')(V''UA'BS'£;. 
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3.2.3 Reduced intrinsic information 



There is another way in which we can find a bound on the key rate which is tiglitcr than the 
intrinsic information. In 7 it was shown that the classical intrinsic information is E-lockable, 
i.e., it can increase sharply when a single bit is taken away from Eve. Since (classical) distillable 
key is not E-lockable, the bound that the intrinsic information provides cannot be tight. This 
was the motivation for defining the reduced intrinsic information by I{AB H E) = iniI[AB | 
EE') + S{E') where the infimum is taken over arbitrary classical values E' [Tj. We now define 
the quantum extension of this function. 

Definition 3.8. Let a = 1,2. The reduced intrinsic information (with parameter a) is given by 

I{A : B il eY;^ = mi{I{AB i EE')p + aS{E')p} (13) 

where the infimum is taken over all extensions pAB E E' with a classical register E' if a = I and 
over arbitrary extensions Pabee' if a — 2. 

The parameter a reflects the different behaviour of the intrinsic information subject to loss of 
a single bit (qubit). The reduced intrinsic information is an upper bound on distillable key since 

Kd{pabe) < KoipABEE') + aS{E') < I{AB [ EE') + aS{E') . (14) 

The first inequality corresponds to CoroUarv 15.21 below. 

Theorem 3.9. The reduced intrinsic information is an upper bound on distillable key, i.e., 
Kd{pabe) <I{A:B [[ E)^;\ for a ^ 1,2. 

3.2.4 Relative entropy of entanglement 

The relative entropy of entanglement and its regularised version are well-known entanglement 
measures that serve as important tools in entanglement theory. 

Definition 3.10. The relative entropy of entanglement is given by ]3(^ \ 31 ^ 

Er{pab) = inf S{pAB\\crAB) (15) 

t^AB 

where S{pab\\<7ab) ~ Trp^s [log p^is — log a ab] and the minimisation is taken over all separable 
states aAB, i-e. (tab = Y.iViP\ ® P'b- 

The relative entropy of entanglement was the first upper bound that has been provided for 
■f^odV') (V'U-B-e) [T5|, I22j. We now extend this result to all tripartite quantum states p^^^ . 

Theorem 3.11. The relative entropy of entanglement is an upper bound on distillable key, i.e., 
Kd{pabe) < E'^iPAA'BB') < Eji{pAA'BB') where paa'bb' = Tr£|V')(V'UA'BB'i; and pabe = 

TvA'B'WiMAA'BB'E- 

It is a particular advantage of E^ in its function as an upper bound that it is not lockable |32) . 

3.3 Comparison of secrecy monotones 
3.3.1 Pure versus mixed 

For entangled states, bounds derived from entanglement measures are usually tighter than the 
intrinsic information and its reduced version. Consider for example the state pabe = \'4'){''P\ab'^ 
Pe where \iP)ab = "^(|00) + Here we have 

Er{pabe) = E'^ipABE) = EsqipABE) = Kd{pabe) = 1 , (16) 
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while 

liA-.Bl E)p ^I{A:B H = 2 , (17) 

for a — 1,2. In general, for tripartite pure states, squashed entanglement is a tighter bound on 
the key rate than the intrinsic information by at least a factor of two: 

2E,gi\i;) HAabe) = I{A:Bi . (18) 

3.3.2 The locking effect 

We will now give a concrete example which shows that there is a purification \'4')aa'bb' e of pabe 
such that 

KoiPABE) = Er{paa'bb') < I{AA' : BB' [ E)p . (19) 
Consider the distribution pijki defined by the following distribution for pij 
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and where k and I are uniquely determined by («, j), 

fc = i+j(mod2) for i,jG{0, 1} (20) 

fc = i(mod2) for ie{2,3} (21) 

I = \i/2\ (22) 

for all (i, j) with pij > 0. We denote the corresponding cccc state by 

PABEF = ^Pi]ki\ijkl)(ijkl\ . (23) 

ijkl 

Clearly Kd{pa;B;Ef) — 0, as Eve can factorise Alice and Bob, by keeping k when I = 1 and 

forgetting it when I ~ 0. In the former case, when I = 0, then Alice and Bob have — (2, 2), 



and when I = 1, then Alice and Bob have (i,j) = (3,3). In the latter case, both Alice and Bob 
have at random or 1 and they are not correlated. 

On the other hand, when Eve does not have access to /, then the key rate is equal to 1, i.e., 
Kd{pa:B:e)—^- Indeed, it cannot be greater, as key cannot increase more than the entropy of 
the variable that was taken out from Eve. However one finds that the intrinsic information is 
equal to 3/2, i.e., I{A: B I E)p = 3/2 [7\. 

Let us consider the purification of the above state, 

\iI^A'Abef) = \{\0)a'\22)ab\0)e\0)f + \0)a'\33)ab\1)e\0)f (24) 
+ Wa'Ab\0)e\1)f + \<I>)a'Ab\1)e\1)f), 
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where 

IV^) = -L(|o)^,|oo)^B + \i)A'\n)AB) (25) 

and 

= i=(|0)A'|01)Ai3 + |l)A'|10)Ai3) . (26) 

Thus when E and -F are with Eve, the state paa'-b of Ahee and Bob is a mixture of four states: 
|0)|22), |0)|33), and \^p). This state is separable state, hence Er{paa'-b) = 0. 

Consider now the state paa' F;B where F is controUed by Ahee instead of Eve. Measuring F 
makes the state separable and in |32| it was shown that measuring a single qubit cannot decrease 
the relative entropy of entanglement by more than 1, thus we obtain 

ERipAA'F:B) < 1 . (27) 

By Theorem 13.111 we then have K£i{pabe) < 1, but indeed one can distil one bit of key from 
pABE, therefore 

Kd{pabe) = Er{paa'F;b) = 1 . (28) 

In [3 the considered distribution was generalised to make the gap between intrinsic information 
and distillable key arbitrarily large. It is not difficult to see that Er is still bounded by one. 
This shows that the bound based on relative entropy of entanglement, though perhaps more 
complicated in use, can be significantly stronger than intrinsic information bound. We leave 
it open, whether or not the intrinsic information bound is weaker in general when compared 
to the relative entropy bound. This parallels the challenge to discover a relation between the 
relative entropy of entanglement and squashed entanglement. Here it has also been observed that 
squashed entanglement can exceed the relative entropy of entanglement by a large amount, due 
to a locking effect |33| . 



3.4 Upper and lower bounds when pabe = Pab ® Pe 

In this section we focus on states of the form pabe — Pab ® Pe- Since distillable key cannot 
increase under Eve's operations, the form of the state pE is not important and we conclude that 
Kd{pab® Pe) is a function of pab only. If the state pab is classical on system A, then it is known 
that distillable key is equal to the quantum mutual information, Kd{pab ® Pe) — I{A : B)p 
[TU] . Indeed, we know from Theorem 13.51 that the key rate can never exceed I{A : B)p. For 
separable quantum states pab we were able to further improve this bound. The upper bounds 
are summarised in the following theorem, whose proof is given in Appendix [Cl 

Theorem 3.12. For all states pab ® Pe, 

Kd{pab®Pe)<I{A:B)p (29) 

with equality if pab is classical on system A. If pab is separable, i.e., pab — '^iPiP\® P^B' then 

Kd{pab®Pe) < ltT''{£)<I.cc{£) (30) 

where £ = {pi,p\ (E) p%} and l}^^^'~^{£) is the maximal mutual information that Alice and Bob 
can obtain about i using LOPC operations (see e.g. \3Ji\ [35 ] ), whereas Ia.cc{£) denotes the usual 
accessible information, i.e. maximal mutual information about i obtained by joint measurements. 

We will now derive a general lower bound on the key rate in terms of the distillable common 
randomness. 
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Definition 3.13. We say that an L OP C protocol V distills common randomness at rate TZ-p if 
there exists a sequence {£n}nefi such that 




R-p 



(31) 



lim ||A„(pf^)-r^"||=0 



(32) 



where m„ is the number of communicated bits. The distillablc common randomness of a state 
p"^^ is defined as Dii{pab) '■— sup-pTZ-p. 

For some protocols the rate may be negative. However it is immediate that Dii{pAB) is 
nonnegativc for all pab ■ The following statement is a direct consequence of the results in [101 E] • 

Theorem 3.14. For the states pabe = Pab ® Pe the distillablc key is an upper bound on the 
distillablc common randomness, i.e., Kb,(pab ® Pe) > Dr{pab) for all pab and pE- 

4 Embedding classical into quantum states 

The problem of distilling key from a classical tripartite distribution (i.e., ccc states) is closely 
related to the problem of distilling entanglement from a bipartite quantum state (where the 
environment takes the role of the adversary), as noted in [9l [7]. It thus seems natural to ask 
whether, in analogy to bound entangled quantum states (which have positive entanglement cost 
but zero distillablc entanglement), there might be classical distributions with bound information. 
These are distributions with zero key rate but positive key cost, i.e., no key can be distilled from 
them, yet key is needed to generate them. The existence of such distributions, however, is still 
unproved. (There are, however, some partial positive answers, including an asymptotic result [7] 
as well as a result for scenarios involving more than three parties '36|.) 

In [HI [Ij J it has been suggested that the classical distribution obtained by measuring bound 
entangled quantum states might have bound information. Such hope, however, was put into 
question by the results of [T^ , showing that there are quantum states with positive key rate but 
no distillablc entanglement (i.e., they are bound entangled). However, the examples of states put 
forward in I 15| have a rather special structure. It is thus still possible that distributions with 
bound information might be obtained by measuring appropriately chosen bound entangled states. 

In the following, we consider a special embedding of classical distributions into quantum states 
as proposed in [S] . We then show how statements about key distillation starting from the original 
state and from the embedded state are related to each other. Let 



be a ccc state defined relative to fixed orthonormal bases on the three subsystems (in the following 
called computational bases). We then consider the qqq embedding pqqq = |'0)(V'| of pccc given by 



Note that, if Alice and Bob measure pqqq in the computational basis, they end up with a state of 
the form 




(33) 



ijk 




(34) 




(35) 



for some appropriately chosen IV'*-'). We call this state the ccq embedding of p, 



ccc- 
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In a similar way as classical distributions can be translated to quantum states, classical proto- 
cols have a quantum analogue. To make this more precise, we consider a classical LOPC protocol 
V that Alice and Bob wish to apply to a ccc state pccc as in . Obviously, V can equivalently 
be applied to the corresponding ccq embedding pccq as defined in (because Alice and Bob's 
parts are the same in both cases). Because Eve might transform the information she has in the 
ccq case to the information she has in the ccc case by applying a local measurement, security of 
the key generated by V when applied to pccq immediately implies security of the key generated 
by V when applied to Pccc- Note, however, that the opposite of this statement is generally not 
true. 

In general, a classical protocol V can be subdivided into a sequence of steps of the following 
form: 

1. generating local randomness 

2. forgetting information (discarding local subsystems) 

3. applying permutations 

4. classical communication. 

The coherent version of V , denoted Vq^ is defined as the protocol acting on a qqq state where 
the above classical operations are replaced by the following quantum operations: 

1. attaching subsystems which are in a superposition of fixed basis vectors 

2. transferring subsystems to Eve 

3. applying unitary transformations that permute fixed basis vectors 

4. adding ancilla systems (with fixed initial state) to both the receiver's and Eve's system, 
and applying controlled not (CNOT) operations to both ancillas, where the CNOTs are 
controlled by the communication bits. 

Consider now a fixed ccc state pccc of the form (|33|) and let 7^ be a classical protocol acting 
on Pccc- It is easy to see that the following operations applied to the qqq embedding pqqq of pccc 
result in the same state: (i) measuring in the computational basis and then applying the classical 
protocol V; or (ii) applying the coherent protocol Vq and then measuring the resulting state 7^ 
in the computational basis. This fact can be expressed by a commutative diagram. 



measurement 



|measurement (36) 



rccq 



Hence, if the coherent version Vq of V acting on pqqq distills secure key bits at rate R then so 
does the protocol V applied to the original ccc state pccc- 

It is natural to ask whether there are cases for which the converse of this statement holds as 
well. This would mean that security of a classical protocol also implies security of its coherent 
version. In the following, we exhibit a class of distributions for which this is always true. The 
key rate of any such distribution is thus equal to the key rate of the corresponding embedded qqq 
state. 

Roughly speaking, the class of distributions we consider is characterised by the property that 
the information known to Eve is completely determined by the joint information held by Alice 
and Bob. 
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Theorem 4.1. Let pccc &e a ccc state of the form p3p such that, for any pair of values 
held by Alice and Bob there exists at most one value k of Eve with pijf^ > 0. If a classical protocol 
V applied to pccc produces key at rate R then so does its coherent version Vq applied to the qqq 
embedding [ip) of pccc (and followed by a measurement in the computational basis). 

Proof. The ccq embedding of pccc is given by a state of the form 

Pccq = Y,P^M{^3\ab ® W'){r\E . (37) 

Since, by assumption, every pair {i,j) determines a unique k = k{i, j), | ?/;*■')('(/;*•' equals 
\k{i,j)){k{i,j)\ and, hence, Pccq is identical to the original ccc state Pccc- The assertion then 
follows from the fact that measurements in the computational basis applied to Alice and Bob's 
subsystems commute with the coherent version Vq oiV. □ 

Corollary 4.2. Let pccc be a ccc state of the form (|33|) such that, for any pair of values {i,j) 
held by Alice and Bob there exists at most one value k of Eve with pijk > 0. Then, the key rate 
for the qqq embedding pqqq of pccc satisfies 

KoiPqqq) = Kd{Pccc) ■ (38) 

Note that the above statements do not necessarily hold for general distributions. To see this, 
consider the state 

\^)aBA'E - mAB\ + )A'\ + )E + (39) 

where |+) := ^(|0) + |1)) and := -i=(|0)|0) + |1)|1)). Moreover, let p^cc be the ccc state 
obtained by measuring \iP){iP\aa'-b-e in the computational basis. Because all its coefficient are 
positive, it is easy to verify that \iI^){iP\aba'e can be seen as the qqq embedding of pccc- Observe 
that, after discarding subsystem A' , pccc corresponds to a perfect key bit. However, the ccq state 
obtained from \iP){'4'\aba'e by discarding A and measuring in the computational basis is of the 
form 5(|00)(00|yis ® + |11)(11|ab ®Ie/'^)- This state, of course, does not correspond to 

a key bit as Eve might easily distinguish the states |+)(+| and /_b/2. 

We continue with a statement on the relation between the intrinsic information of a ccc state 
and the so-called entanglement of formatioT^ Ep of its qqq embedding. More precisely, we show 
that, under the same condition as in Theorem 14. 1[ the first is a lower bound for the latter (see 
also [381 [39]). 

Theorem 4.3. Let pccc be a ccc state of the form p3p such that, for any pair of values {i,j) 
held by Alice and Bob there exists at most one value k of Eve with pijk > 0, and let pqqq be the 
qqq embedding of this state. Then 

I{A:Bi E)p_ < EpiTTEiPqqq)) . (40) 

Proof. Note first that any decomposition of Tr E^Pqqq) into pure states can be induced by an 
appropriate measurement on the system E. Hence, we have 

EFiTlEiPqqq)) = min V PfcS'(A) |^-) (41) 

m) - 

where the minimum ranges over all families of (not necessarily normalised) vectors \k) such 
that '^k\k)(k\ — Ie (this ensures that they form a measurement), pj. := | (fc|£;|'*/')AB_Ep, and 

IV'fe) := {k\EWABE/y/Pk- 



®The entanglement of formation Ep is an entanglement measure defined for bipartite states by Ep{aAg) := 
min PiS'(Trfl{(7^^ )) where the minimum is taken over all ensembles {pi,o"^^} with ^iPicr\g = o"AS |37| . 
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For any pair of values held by Alice and Bob (with nonzero probability) we have 

T^AB [Pqqq ^ /_b)] = Pij\k){k\, where k = k{i,j) is the corresponding (unique) value held 

by Eve. Hence, the probability distribution of the state pccc obtained by applying the above 
measurement on Eve's system satisfies 

^ijk ■= Tr(|V')(V'Ui3£;|ijfc)(jjfc|) = Pi3kq-k\k , (42) 

where q^p. := Tr(|fc) (fc| |fc) (fc|). The intrinsic information is thus bounded by 

I{A:Bi E)p_ < mm I{A : B\E)^_ , (43) 

where pccc is the state defined above (depending on the choice of the vectors |fc)). Moreover, 
using Holevo's bound, we find 

I{A : B\E)p_ < min ^Pfe5(A)|^-) . (44) 

{\k}) - 

The assertion then follows from (f4T|) . □ 

Because the intrinsic information is additive (i.e., it is equal to its regularised version), The- 
orem 14.31 also holds if the entanglement of formation Ep is replaced by the entanglement cost 
Ec- 

The discussion above suggests that classical key distillation from ccc states can indeed by 
analysed by considering the corresponding qqq embedding of the state, but the original ccc state 
has to satisfy certain properties. This relation might be particularly useful for the study of bound 
information as discussed at the beginning of this section. In fact, there exist bound entangled 
states which satisfy the property required by Theorem 14.11 above [40] . 



5 On locking and pre-shared keys 

In [7] it was observed that, by adding one bit of information to Eve, the (classical) intrinsic infor- 
mation can decrease by an arbitrarily large amount. In [16] it was shown that classical correlation 
measures of quantum states can exhibit a similar behaviour; more precisely, the accessible infor- 
mation can drop by an arbitrarily large amount when a single bit of information is lost. This 
phenomenon has been named locking of information or just locking. For tripartite states pabe^ 
locking comes in two flavours: i) locking caused by removing information from Eve, ii) locking 
caused by removing information from Alice and/or Bob (and possibly giving it to Eve). Let us 
call those variants E-locking and AB-locking, respectively. 

In [32j it was shown that entanglement cost as well as many other entanglement measures can 
be AB-locked. Further results show that squashed entanglement and entanglement of purification 
are also AB-lockable [531 EI] • So far the only known non-lockable entanglement measure is relative 
entropy of entanglement. 

It was shown in [7] that distillable key is not E-lockable for classical states. In the sequel we 
extend this result and prove that the distillable key for quantum states pabe is not E-lockable, 
either. The proof proceeds along the lines of [7], replacing the bound of Csiszar and Korner by 
its quantum generalisations due to [TD] (see also [H]). Let us emphasise that we leave open the 
question on whether distillable key is AB-lockable (even for ccc states). 

Theorem 5.1. Consider a state pabee' o.'^^d let V he a key distillation protocol for Pabe with 
rate R-p. Then there exists another protocol V' for pabee' with rate Rpi > Rp — 2S{pE')- If, in 
addition, E' is classical then R-pi > R-p — S{pE')- 
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Proof. For any fixed e > there exists n G N such that the protocol V transforms p'^g^ into a 
ccq state (Tj^be which satisfies the following inequalities: 

hABE - t'W < e, ->R.p-e. (45) 
n 

Suppose that Alice and Bob apply this map to the state Pabee' (i-^-' ^^^y t'^y distil key, as if 
the system E' was not present). The state P^bee' then transformed into some state gabee' 
which traced out over E' is equal to the ccq state uabe- Repeating this protocol m times results 
in cr'^BEE'^ from which Alice and Bob can draw at least m{I{A : B) ~ I[A : EE')) — o{m) bits 
of key by error correction and privacy amplification [TU]. This defines a protocol V' . To evaluate 
its rate, we use subadditivity of entropy which gives the estimate 

I{A : EE')„ < I{A : E)^ + I{AE : E')„ . (46) 

From (|45|) and the conditional version of Fannes' inequality [25 we know that, for any e € [0, 1]0 

liA : B), - liA : E), > (1 - 8e)£ - 4iJ(e) . (47) 

This together with ^ implies 

KoiaABEE') > HA : B), - I{A : EE'), > (1 - 8e)^ - 4H{e) - I{AE : E'), . (48) 

To get the key rate of 'P', we divide the above by n and use (|45)) . 

Rv' > -KDi<JABEE') > (1 - 8e)(i?p - e) - -4i/(e) - -I{AE : E')„ . (49) 
n n n 

Because this holds for any e > 0, the assertion follows from I[AE : E')cr < 2S{E')cr = 2nS{E')p 
and, if E' is classical, I{AE : E'), < S{E')„ = nS{E')p. □ 

Applying the above theorem to an optimal protocol leads to the statement that the key rate 
Kd is not E-lockable. 

Corollary 5.2. For any state pabee', Kd{pabee') > Kd{pabe) - '2.S{pE') and, if E' is 
classical, Kd{pabee') > Kd{pabe) - S'(p^). 

Consider now a situation where Alice and Bob have some pre-shared key U which is not known 
to Eve. 

A major consequence of Theorem 15. II is that a pre-shared key cannot be used as a catalyst to 
increase the key rate. More precisely, the corollary below implies that, for any protocol V that 
uses a pre-shared key held by Alice and Bob, there is another protocol V' which is as efficient as 
V' (with respect to the net key rate), but does not need a pre-shared key. 

Corollary 5.3. Let V he a key distillation protocol for pabe ® where is some additional 
£-bit key shared by Alice and Bob. Then there exists another protocol V' for pabe with rate 
R-pi > R-p — £. 

Proof. Consider the state pa'B'EE' where E' is a system containing the value [/ of a uniformly 
distributed £-bit key. A' :— {A, U), and B' {B, U). Note that pa'B'e is equivalent to pabe®t^- 
The assertion then follows from the observation that any protocol which produces a secure key 
starting from pa'B'ee' can easily be transformed into an (equally efficient) protocol which starts 
from Pabe, because Alice and Bob can always generate public shared randomness. □ 

H{e) denotes the binary entropy, i.e., the Shannon entropy of the distribution [e, 1 — e]. 
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The following example shows that the factor 2 in Theorem 15.11 and Corollary 15.21 is strictly 
necessary. Let 

4 

PABEE' = ^ N)(«|b «) \ll^i){lpt\EE' (50) 

1=1 

where \tpi) are the four Bell states on the bipartite system EE'. Then, obviously, Kd{pabee') = 
0, but if E' (which is only one qubit) is lost, then Ko{pabe) = 2, since E is then maximally 
mixed conditioned on i. One recognises here the effect of superdense coding. 



6 Classical and quantum adversaries in QKD 

Up to now, we have considered an adversary with unbounded resources. Of course, if one limits 
the adversary's capabilities, certain cryptographic tasks might become easier. In the following, 
we will examine a situation where the adversary cannot store quantum states and, hence, is 
forced to apply a measurement, turning them into classical data. We will exhibit an example of 
a 2(i-dimensional ccq state which only has key rate 1, but if Eve is forced to measure her system, 
the key rate raises up to roughly i log d. 

Note that upper bounds on the key rate which are defined in terms of an optimal measurement 
on Eve's system (see, e.g., [1^ and Section [3]) are also upper bounds on the key rate in a 
setting where Eve has no quantum memory. Hence, our result implies that these upper bounds 
are generally only rough estimates for the key rate in the unbounded scenario. 

Consider the state 

1 

PAA'BB'E — — \00){00\AB{\kk){kk\A'B' <8) \k){k\E) 
fc=i 

+ \n)(n\ABi\kk)(kk\A'B' ® U\k){k\E\U^) (51) 

where U is the quantum Fourier transform on d dimensions. (Such a state has been proposed 
in [16] to exhibit a locking effect of the accessible information. It also corresponds to the flower 
state of [3g.) 

It is easy to see that the bit in the system AB is uncorrelated to Eve's information and, hence, 
completely secret, i.e., Kjj^paa' bb' e) = Ku^pab) > 1- On the other hand, if this bit is known 
to Eve then she has full knowledge on the state in A'B' , i.e., Kd{paa'BB'EE') < I{AA' : BB' | 
EE')p = 0, where E' is a classical system carrying the value of the bit in AB (see Theorem l3.5p . 
From this and CoroUarv 15.21 (or, alternatively. Theorem 13. 9|) . we conclude that the key rate 
(relative to an unbounded adversary) is given by 

Kd{paa'bb'e) = Kd{pab) = 1 ■ (52) 

Let us now assume that Eve applies a measurement on her system E, transforming the state 
defined above into a ccc state (taa'BB'E- Because the values of Alice and Bob are maximally 
correlated, it is easy to see that the key rate of this state satisfies Kd{o-aa'BB'e) = S{A\E')a = 
S{A)^-I{A : E)„. Note that S{A)c = l + logd. Moreover, the mutual information I{A : E)„ for 
an optimal measurement on E corresponds to the so-called accessible information, which equals 
\ log d, as shown in [16] . We thus conclude that 

Kd{caa'bb'e) = 1 + ^ logd . (53) 

Note that the accessible information is additive, so even if the measurements are applied to blocks 
of states, the amount of key that can be generated is given by this expression. 
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The above result gives some insights into the strength of attacks considered in the context of 
quantum key distribution (QKD). A so-caUed individual attack corresponds to a situation where 
the adversary transforms his information into classical values. In contrast, a collective attack is 
more general and allows the storage of quantum states. 

As shown in [18], for most QKD protocols, security against collective attacks implies security 
against any attack allowed by the laws of quantum physics. The above result implies that the 
same is not true for individual attacks, i.e., these might be arbitrarily weaker than collective (and, 
hence, also general) attacks. 
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A On the definition of the key rate 

The following lemma achieves a simplification of the definition of distillable key Kjj (Defini- 
tion [iJ]). 

Lemma A.l. The maximisation in the definition of Kjj can be restricted to protocols that use 
communication at most linear in the number of copies of p^^^ . 

Proof. Let {A„}„gN be a key distillation protocol with rate R and with communication not 
necessarily linear in n. Fix e > 0. Then there exists an no such that 

\\^nApfB°E)-rA^E\\l<^ (54) 

and > R — e. Consider now key distillation from many copies of cfabe '■— r(A„Q(p^^°^)), 
where F is a measurement of Alice and Bob in their computational bases. We can limit the 
dimension of Alice's and Bob's system to 2^"o ^ because any additionally appearing symbols could 
be mapped, for instance, to the symbol 1. This allows us to bound the difference in the mutual 
informations with help of a conditional version of Fannes' inequality [25], 

liA : B), - I{A : E), > (1 - 8e)^„„ - 4i?(e) , (55) 

which holds if e < 1. Alice and Bob can achieve the rate I {A : B)^ — I {A : E)„ using communi- 
cation linear in the number of copies of (Jabe, since (Jabe is evidently a ccq state [TOl [H]. We 
have therefore modified the protocol {A„}„gN achieving a rate R into a protocol {A„}„£n with a 
rate 

R>{l-8e){R~e)^^^^. (56) 
no 

The amount of communication in this protocol is proportional to the number of copies of pabe- 
Since e was arbitrary we obtain a sequence of protocols (each with communication linear in the 
number of copies p^^) which approaches the rate R. □ 



18 



B Proof of Theorem D 



To show that the intrinsic information is an upper bound on the key rate, it suffices to verify that 
it satisfies the requirements of Theorem 13.11 We start by proving monotonicity of I{A : B\E') 
under LOPC operations. 

Monotonicity. Local operations, i.e., operations on either Alice's or Bob's side, consist of 
adding a local ancilla system, applying a local unitary transformation and removing a local 
subsystem. The two first operations leave I{A : B\E') constant. So we have to show that 
I{A : B\E') does not increase under partial trace, i.e. I{A : B'\E') < I{A : B'B"\E'). This 
follows immediately from chain rule and the positivity of the quantum mutual information: 

I{A : B'\E') = I{A : B'B"\E') - I{A : B"\E'B') < I{A : B'B"\E'). (57) 

Public communication from Alice to Bob is the process where a classical register C is copied to 
both Bob and Eve. This can be done in two steps. First, two copies C and C" of C are created 
locally on Ahce's side, hence I{ACC'C";B\E') = I{AC]B\E'). Second, Alice hands over C 
to Eve and C" to Bob. In order to conclude that the conditional mutual information is non- 
increasing under public communication, it therefore suffices to show that I[AC\BC"\C' E') < 
I{ACC' C"; B\E'). Writing it out in terms of entropies, the claim is 

S{ACC'E') + S{BC'C"E') - S{C'E') < S{ACC'C"E') + S{BE') - S{E') (58) 

which is equivalent to 

S{ACE') + S{BCE') - S{CE') < S{ACE') + S{BE') - S{E') (59) 

since C and C" are copies of C. Eliminating the term S{ACE') we see that the claim is true by 
strong subadditivity of von Neumann entropy. 

Since the statement holds for arbitrary channels, it also holds for the intrinsic information. 

Asymptotic continuity. Let ||/9abb — casbHi < e- Since the trace distance is non-increasing 
under CPTP maps we find \\pabe' - ctabe'Wi < e, where pabe' = {Iab ® Ae^e){pabe) and 
o'ABE' = {Iab '9 ^e^e){^abe)- By the conditional version of Fannes' inequality we find 

\I{A : B\E')p - I{A : B\EW < Selogd^ + 4i/(e) . (60) 

Since the statement holds for arbitrary channels, it also holds for the intrinsic information. 

Normalisation. This property can be verified by inserting tabe into the definition of the 
intrinsic information. 

Subadditivity. We first prove additivity on tensor products for the mutual information: 

I{AiA2 : BiB2\E[E'^) = I{Ai : Bi\E[E'^) + I{Ai : B2\E[E'^Bi) (61) 

=0 

+ 7(^2 : B2\E[E'^Ai) + I{A2 : Bi\E[E'^AiB2) 

=0 

= I{Ai:Bi\E[)+I{A2:B2\E'^) (62) 

where the last inequality follows by the independence of PaiBiE[ and Pa2B2E^- Subadditivity for 
the intrinsic information follows from the observation that the infimum in the definition includes 
product channels. □ 
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C Proof of Theorem [332] 

The statement Ko{pab ® Pe) < I{A : B) follows from the intrinsic information bound. The 
equality condition is a consequence of ([6|). 

To prove the second part of the theorem, we view pab as the partial state of a tripartite state 

PABD = ^Pi\i)D{A® p'^A ® P^B (63) 

i 

where D is a classical register. Consider a key distillation protocol for the state pab with rate TZ. 
For the map on n copies of the state, let C be the overall communication and let A' and B' denote 
the classical keys generated by Alice and Bob, respectively. The definition of the key rate implies 
that I [A' : B'\C)/n converges to TZ. It is our goal to find an upper bound for I {A' : B'\C). 

Note that I {A' : B'\CD) = since the only correlations between Alice and Bob come from D 
and from communication. Thus from the chain rule we get I [A' : B'D\C) = I {A' : D\C) so that 

I{A' : B'\C) < I{A' : D\C) = I{A'C : D\C) < I{A'B'C : D). (64) 

The r.h.s. is a lower bound for the LOPC-accessible information of n copies of the ensemble £. 
However LOPC-accessible information is additive if its members are separable [52]. Thus we 
obtain 

Il?J'''{{P^.P\ ® Pb}) > l^HA' : B'\C) ^ n . (65) 

Of course /acc is by definition not smaller than /ac?^*^ ■ This concludes the proof since the above 
for any protocol. □ 
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